Online web-based services are widely used today, typical examples being online banking services and online shopping services. However, problems associated with transaction security have posed serious challenges and risks to institutions and their customers. In a global economy with billions of transactions carried daily over insecure public Internet Protocol (IP) networks, identity and/or personal information protection becomes paramount. In general, a customer computer environment is considered to be insecure due to its vulnerability to a variety of malicious software, such as keystroke recorder, Trojan horse, or even screen recorder, etc., that are able to record keystrokes, redirect critical messages to a fake server, or effectively “video record” a computer screen. Through a variety of means, hackers are able to steal customer identities and/or personal information. Even worse, critical data may be modified.
The traditional way to authenticate a customer is for a client computer to provide a user-id and a password. However, this one-factor (e.g., the combination of a user-id and a password) authentication is not secure enough to protect either the customer or the institution from attacks by malicious software or malware (including Trojan horses) using approaches, such as man-in-the-middle (MITM), man-in-the-browser (MITB), and keystroke logging.
Since the user-id and the password may be stolen, an identity verification device, e.g., a universal serial bus (USB) device loaded with a public key infrastructure (PKI) certificate, an integrated circuit (IC) electronic card or a dynamic token, may additionally be used for verifying the identity of the customer, thereby making the cost of customer service for personalization, distribution and troubleshooting considerable. Further, the necessity of having different identify verification devices for different institutions proves to be quite inconvenient for customers.
Therefore, there is still room for improvement in the above techniques.